Refine your search:

Retrieving unique values of an indexed field

1

Is there a quick way to retrieve the list of all unique values of an indexed field?

I know I could search for the field and pipe to uniq, but hoping there might be something faster.

asked 12 May '10, 19:36

NancyCunningham's gravatar image

NancyCunningham
31113
accept rate: 0%

edited 31 May '11, 15:11

jlaw's gravatar image

jlaw ♦
72138
2 Answers:
oldestnewestmost voted
1

Absolutely. There's several ways to do this. Lets assume your field is called 'foo'.

The most straightforward way is to use the stats command

<your search> | stats count by foo

Using stats opens up the door to collect other statistics by those unique values. For example: 

<your search> | stats count avg(duration) dc(username) by foo

which will take the average of a field called duration and the distinct count of values of username, with each statistic being computed just for a given value of foo

http://www.splunk.com/base/Documentation/latest/SearchReference/Stats

Another way worth mentioning is to just use top 

<your search> | top foo limit=10000
link

answered 12 May '10, 20:08

sideview's gravatar image

sideview ♦
25.6k4543
accept rate: 46%

For host, source, andsourcetypespecifically, you can use the| metadata` search command, which can certainly be much faster. If you need this a lot, run a scheduled search that runs over recent data and updates a lookup table (...| append [ inputlookup mytable ] | dedup myfield1, myfield2 | outputlookup mytable), i.e., basically you generate and maintain the metadata yourself periodically.

(31 May '10, 13:30) gkanapathy ♦
0

Actually, we were hoping that, because it is an indexed field, there is some kind of metadata or list that is persisted that we could access quickly, without running a search over all our events. I guess the simplest case would be source, sourcetype, or host - is there any quick way to find the list of all indexed hosts without going through stats or some other search? It seems like there must be, because the summary view displays those. We'd like to pull that type of summary information for any indexed field to get a list of all possible field values.

link

answered 13 May '10, 16:23

esachs's gravatar image

esachs ♦
4912
accept rate: 0%

can you add this as a comment to Nick's answer, and not as a new answer?

(14 May '10, 19:30) piebob ♦♦

For some reason, I don't see an "add comment" field on Nick's answer. Is there some other way to do that?

(18 May '10, 15:28) esachs ♦

For host, source, and sourcetype specifically, you can use the |metadata search command.

(31 May '10, 13:27) gkanapathy ♦
Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×1,644
×266
×264

Asked: 12 May '10, 19:36

Seen: 4,943 times

Last updated: 31 May '11, 15:11

Related questions

Count unique values per field

getting unique values of the field

Retrieving stats from multiple summary reports

Counting a field for number of messages per unique value

Report on all values of fields.

Example of when using indexed fields can help with search performance?

Conditional count on two values in a single field

Extraction of an indexed field in summary indexes

Show only unique results

Copyright © 2005-2012 Splunk Inc. All rights reserved.